Snyk

ci: Workflow Updates #80

	name: Snyk

	on:
	merge_group:
	pull_request_target:
	types:
	- opened
	- synchronize
	push:
	branches:
	- main
	schedule:
	- cron: "30 0 1,15 * *"

	permissions:
	contents: read

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

	jobs:
	authorize:
	name: Authorize
	environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' \|\| 'internal' }}
	runs-on: ubuntu-latest
	steps:
	- run: true

	configure:
	name: Configure
	needs: [authorize]
	runs-on: ubuntu-latest

	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}

	steps:
	- uses: actions/checkout@v4

	- id: set-matrix
	run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT

	check:
	needs: [configure]

	name: Check for Vulnerabilities
	runs-on: ubuntu-latest

	steps:
	- if: github.actor == 'dependabot[bot]' \|\| github.event_name == 'merge_group'
	run: exit 0

	- uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.merge_commit_sha \|\| github.ref }}

	- uses: ./.github/actions/setup
	with:
	php: ${{ fromJson(needs.configure.outputs.matrix).include[0].php }}

	- run: npm install snyk -g

	- if: github.ref == 'refs/heads/main'
	run: snyk monitor --file=composer.lock
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	continue-on-error: true

	- run: snyk test --file=composer.lock
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Provide feedback